Personal-files interface not acting as expected

joedborg · February 28, 2019, 4:39pm

I’ve created this snap package https://github.com/joedborg/kubicorn/blob/master/snap/snapcraft.yaml, where I’m trying to use the personal-files interface (https://docs.snapcraft.io/the-personal-files-interface/9357).

plugs:
  kube-config:
    interface: personal-files
    read:
      - $HOME/.kube/config
    write:
      - $HOME/.kube/config

apps:
  kubicorn:
    command: kubicorn
    plugs:
      - home
      - network
      - ssh-keys
      - kube-config

However, when I run the snap, it seems that the package has no access to ~/.kube/config. I installed it like:

snap install --dangerous ./kubicorn_0+git.0c47cc61a-dirty_amd64.snap 
snap connect kubicorn:ssh-keys
snap connect kubicorn:kube-config

Could anyone help me with this please?

Version info:

snapcraft version                
snapcraft, version 3.2

snap version                     
snap    2.37.2
snapd   2.37.2
series  16
ubuntu  18.04
kernel  4.15.0-45-generic

chipaca · February 28, 2019, 4:44pm

I’m doing pretty much exactly that (except I only do the read bit), and it works for me:

plugs:
  gitconfig:
    interface: personal-files
    read: [$HOME/.gitconfig]

apps:
  git-icdiff:
    command: usr/bin/git-icdiff
    plugs:
      - home            # so it can acess files under the user's home
      - removable-media # so it can access things in /media, etc
      - gitconfig       # so it can access ~/.gitconfig :-)

pedronis · February 28, 2019, 5:31pm

don’t know if the interface needs to do more sanity checking (cc @jdstrand) but “write” implies “read” so there would be no need to repeat the same path there (otoh as I said not sure it creates problems because of not enough sanity checking or not)

zyga-snapd · February 28, 2019, 6:35pm

I think there might be something to it. I will add a test case for this.

joedborg · March 1, 2019, 8:57am

Thanks for all the feedback. I’ve just tried with only write this morning, but still seem to have the issue.

joedborg · March 1, 2019, 11:04am

Okay, further investigation. I can confirm this IS working as expected. The software seems to try and gain access to .kube/, which is denied unless explicitly listed (which makes sense), first, so you need to add all the base dirs to this list if your software spans/walks to find this file.

zyga-snapd · March 1, 2019, 1:57pm

Ah, interesting aspect. I will examine the code to see if we can improve this.